[Snort-devel] snort multiple network support

Todd Lewis tlewis at ...120...
Sat Nov 18 13:36:41 EST 2000


I have modified snort-1.6.3 to support to declaration of sets of networks
for the source or destination in rules.  Previously, one could only
specify a single network as the source or destination.  This behaviour
made specifying HOME_NET exclusions difficult when snort was running on
a firewall protecting multiple back-end networks.

The syntax allows stating a sequence of networks separated by colons.
(Leading colons, trailing colons, multiple colons, it all works.)
Since a single network with no colon describes a set of one network,
this patch is 100% reverse-compatible with previous rules.

I have created a diff file, which I attach, detailing my changes.
While I have myself tested this code, it has not been put through
SecureWorks' QA process.  We intend to license this code under the GPL
and ask for its incorporation into snort, but only after it has passed QA.
Until then, I am circulating this patch in order to get feedback from the
snort developers.  The code as it is right now '#ifdef's the new code and
preserves all of the old code; I would like to tidy this up for the final
patch, and if there is general consensus that this is a positive change to
snort, then I will do so before submitting the final version of this work.

There is a README.SMN (that's for Support Multiple Networks) included
in the patch detailing everything I could think of that anyone would
need to know about this patch.

I am happy to make changes to the code or documentation; feedback is
welcome and encouraged.

Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.smn.patch.bz2
Type: application/octet-stream
Size: 7232 bytes
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20001118/c11b0885/attachment.obj>

More information about the Snort-devel mailing list